If SMEs are going to gain the trust of bigger customers, it is vital their data security is as good that of larger competitors.
SMEs are increasing gaining access to lucrative deals with large corporates and Government clients. With the launch of the Government’s contract finder website for SMEs in February 2011 the floodgates have opened to new potential revenue streams. In fact, in 2010 it was estimated that a fifteen per cent increase in the proportion of central Government contracts won by SMEs could mean new business worth an extra £3 billion for the sector. But if SMEs are going to gain the trust of bigger customers, it is vital their data security is every bit as good as the clients they work with or larger competitors.
This is because data loss hurts organisations. For example, hacktivists such as WikiLeaks have released hundreds of thousands of unencrypted but confidential documents, to the acute embarrassment of the US government and many others. Meanwhile, there have been numerous examples of laptops and storage devices going astray or CDs with unencrypted data being lost or falling into the wrong hands.
SMEs therefore need to have robust systems in place to ensure they don’t put their customers’ data in jeopardy or breech regulations such as the Data Protection Act (DPA) or the Privacy and Electronic Communications Regulations. If the worst happens, an SME will quickly see the door to profitable contracts closed – and big business will become hesitant about engaging with small businesses in the future. Not to mention the possible £500,000 fine for violations of the DPA.
But achieving the right level of data loss prevention can be a minefield. This is because the number of servers businesses have is increasing, as is the number of end points such as PCs and mobile devices. This is further complicated by cloud computing, where data is stored and managed by a third party, and the ever increasing volumes of unstructured data, such as emails. In fact, the volume of data created by organisations is doubling every two years.
Meanwhile, the threat landscape continues to evolve. Symantec research notes that approximately 144,000 malicious files are detected each day, equating to more than 4.3 million each month. Threats are also becoming increasingly targeted and focused on accessing both personal and business information that can be used for malicious gain or sold on via underground markets.
What can SMEs do?
Firstly, they need to think about the data loss needs of their corporate and government clients which often require more than just network security. They must protect the information itself, inform the behaviour of those carrying the information, have visibility regarding where their confidential data resides on their network, have influence over where that data is going, and implement a policy for managing it. A strategy that balances the organisation’s legal and business needs to protect information with the competing interests to share it is vital. To achieve this, there are seven best practices that SMEs should consider.
1. Assesses risks: this starts the process of developing, updating or strengthening an information protection strategy and determining which approach is most appropriate for the organisation.
2. Identify and classify confidential information: decide which information is worthy of what type of protection, and which information must be protected by law.
3. Develop information protection policies and procedures: an overarching information protection policy statement summarises the organisation’s commitment to protecting confidential information, including personal and private information and confidential information received from third parties that is subject to a nondisclosure obligation.
4. Deploy technologies that enable policy compliance and enforcement: A policy without compliance and enforcement is dangerous. Lack of policy enforcement degrades policy credibility both in the eyes of those responsible for compliance and in the eyes of the law and customers. Technology solutions do more than enable policy compliance and enforcement; technology can alter user behaviour.
5. Communicate and educate employees to create a compliance culture: No amount of technology security can perform the entire job. Information security technology is only effective in a corporate culture where users take personal responsibility for protecting the organisation’s valuable intellectual assets.
6. Integrate information protection practices into businesses processes: employees should operate in a culture of compliance, where protecting information is integral to every aspect of the business.
7. Audit so that employees are held accountable: The purpose of the audit is to ensure that the information protection procedures and practices adopted by the organisation are being implemented consistently and effectively.
Only by taking steps such as these will SMEs be able to earn the trust of their bigger counterparts and make the most of the new revenue streams open to them. If not, the sector could let itself down by costing big business far more than it saves through partnering with agile suppliers.
Newer news items:
Older news items: